From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 20 Jan 2021 21:17:48 +0000 (+0100)
Subject: More than one ZOMEMD RRs with same Scheme and Hash Algorithm MUST NOT be considered
X-Git-Tag: 1.8.0-rc.1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9abc43cb2e5ea01edad43b6aeeea441baa089d6;p=thirdparty%2Fldns.git

More than one ZOMEMD RRs with same Scheme and Hash Algorithm MUST NOT be considered
---

diff --git a/dnssec_zone.c b/dnssec_zone.c
index 5d2a5d2d..629e6423 100644
--- a/dnssec_zone.c
+++ b/dnssec_zone.c
@@ -1479,6 +1479,8 @@ struct struct_zone_digester {
         ldns_sha512_CTX sha512_CTX;
         unsigned simple_sha384 : 1;
         unsigned simple_sha512 : 1;
+        unsigned double_sha384 : 1;
+        unsigned double_sha512 : 1;
 };
 typedef struct struct_zone_digester zone_digester;
 
@@ -1498,11 +1500,27 @@ zone_digester_add(zone_digester *zd, zonemd_scheme scheme, zonemd_hash hash)
 	case ZONEMD_SCHEME_SIMPLE:
 		switch (hash) {
 		case ZONEMD_HASH_SHA384:
+			if (zd->double_sha384)
+				return LDNS_STATUS_ZONEMD_DOUBLE_OCCURRENCE;
+
+			else if (zd->simple_sha384) {
+				zd->simple_sha384 = 0;
+				zd->double_sha384 = 1;
+				return LDNS_STATUS_ZONEMD_DOUBLE_OCCURRENCE;
+			}
 			ldns_sha384_init(&zd->sha384_CTX);
 			zd->simple_sha384 = 1;
 			break;
 
 		case ZONEMD_HASH_SHA512:
+			if (zd->double_sha512)
+				return LDNS_STATUS_ZONEMD_DOUBLE_OCCURRENCE;
+
+			else if (zd->simple_sha512) {
+				zd->simple_sha512 = 0;
+				zd->double_sha512 = 1;
+				return LDNS_STATUS_ZONEMD_DOUBLE_OCCURRENCE;
+			}
 			ldns_sha512_init(&zd->sha512_CTX);
 			zd->simple_sha512 = 1;
 			break;
diff --git a/error.c b/error.c
index 60a76d55..f477f3aa 100644
--- a/error.c
+++ b/error.c
@@ -157,6 +157,8 @@ ldns_lookup_table ldns_error_str[] = {
 		"X509_STORE_CTX_set0_dane() functions within OpenSSL >= 1.1.0 "
 		"to be able to verify the DANE-TA usage type." },
 #endif
+	{ LDNS_STATUS_ZONEMD_DOUBLE_OCCURRENCE, "A ZONEMD with the same "
+		"<scheme> and hash algorithm occurred more than once." },
 	{ LDNS_STATUS_ZONEMD_UNKNOWN_SCHEME, "Unknown ZONEMD <scheme>" },
 	{ LDNS_STATUS_ZONEMD_UNKNOWN_HASH, "Unknown ZONEMD hash algorithm" },
 	{ LDNS_STATUS_ZONEMD_INVALID_SOA,
diff --git a/ldns/error.h b/ldns/error.h
index e5580fcf..8a642c91 100644
--- a/ldns/error.h
+++ b/ldns/error.h
@@ -130,6 +130,7 @@ enum ldns_enum_status {
 	LDNS_STATUS_SYNTAX_SUPERFLUOUS_TEXT_ERR,
 	LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW,
 	LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA,
+	LDNS_STATUS_ZONEMD_DOUBLE_OCCURRENCE,
 	LDNS_STATUS_ZONEMD_UNKNOWN_SCHEME,
 	LDNS_STATUS_ZONEMD_UNKNOWN_HASH,
 	LDNS_STATUS_ZONEMD_INVALID_SOA,